Evgeniy Polyakov wrote:
On Tue, Jul 01, 2008 at 03:41:58PM +0200, Patrick McHardy (kaber@xxxxxxxxx) wrote:
I am also not sure OSF should live in kernel, but what it does it does
good and there is no simple way to do the same with existing
functionality. It is possible, but not simple, and definitely not
trivial for administrator :)
I don't like the current way such things are implemented in iptables
(have all logic in the kernel instead of just providing a mechanism
for implementing it in userspace and presenting a nice view to the
administrator). Thats not your fault of course and your module is
also not the first one to do this.
I bet it is not the last one :)
I truely hope it will be since I'm working (slowly, as time permits)
on the *tables successor that will implement things like this in
userspace. Every module we add that adds more complicated logic in
the kernel will make adding an iptables compat layer harder.
Unfortunately its most likely not possible to convince me to like
this, so lets just say that I'm fine with merging it if someone
speaks up in favour of it :)
Cool. If no none will reply, nothing actually changes :)
OSF lived on its own all the time except several months in patch-o-matic
and then its next generation.
I'd CC the netfilter user list, its likely you'll find some voices
in favour there :)
There was no nfnetlink either 5 years ago, when OSF was created,
this release is just subsequent update to the project.
At some moment OSF shared netlink group with ulog, but it was
considered harmful, so I dropped support. Netlink usage is
rather trivial: it just sends information about matched packt to
userspace, so it can block it on its own, rise a message in the window
or perform some other steps. Nothing exceptionally complex :)
Yes, but I don't want to add another interface netfilter userspace
has to know about. It should either use nfnetlink and remove the proc
interface, or remove the connector interface and use proc.
Preferrably the former.
It uses proc to load rules - I do not like it either, but it was the
simplest way to do so :)
We can rethink that part if it will actually get merged.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
